Topic 12D

Question 1

security information and event management (SIEM)

Answer 1

Software designed to assist with managing security data inputs and provide reporting and alerting

The core function of a SIEM tool is to collect and correlate data from network sensors and appliance/host/application logs.

Question 2

Agent-based collection

Answer 2

this approach means installing an agent service on each host. As events occur on the host, logging data is filtered and sent tom the SIEM server.

The agent must run as a process, and could use from 50–500 MB of RAM, depending on the amount of activity and processing it does.

Question 3

Different types of collection

Answer 3

Agent based - Installing an agent on a server

Listener/collector - hosts can be configured to push log changes to the SIEM server

Sensor - A sniffer can record network data using either the mirror port functionality of a switch or using some type of tap on the network media.

Question 4

Listener/collector

Answer 4

hosts can be configured to push log changes to the SIEM server.

A process runs on the management server to parse and normalize each log/monitoring source.

This method is often used to collect logs from switches, routers, and firewalls, as these are unlikely to support agents

Question 5

log aggregation

Answer 5

refers to normalizing data from different sources so that it is consistent and searchable

SIEM software features connectors or plug-ins to interpret (or parse) data from distinct types of systems and to account for differences between vendor implementations

Each agent, collector, or sensor data source will require its own parser to identify attributes and content that can be mapped to standard fields

Question 6

“single pane of glass”

Answer 6

to consolidate the activities to a single management interface for a SIEM

Question 7

SIEM correlation rule

Answer 7

a statement that matches certain conditions. These rules use logical expressions, such as AND and OR, and operators, such as == (matches), < (less than), > (greater than), and in (contains).

For example, a single-user login failure is not a condition that should raise an alert. Multiple in an short space of time may be a cause for concern

Question 8

SIEM threat intelligence feed

Answer 8

This means that data points observed in the collected network data can be associated with known threat actor indicators, such as IP addresses and domain names.

Question 9

When used in conjunction with a SIEM, two particular steps in alert response and remediation deserve particular attention:

Answer 9

Validating false positives / false negatives

Quarantine

Question 10

One of the advantages of SIEM and advanced security orchestration, authorization and reporting (SOAR) solutions is to

Answer 10

fully or partitally automate validation and remediation.

For example, a quarantine action could be available as a mouse-click action via an integration with a firewall or endpoint protection product.

Validation is made easier by being able to correlate event data to known threat data

Question 11

SIEM different types of reports

Answer 11

Executive reports for planning and investment activity

Manager reports guide day to day operational decision making

Compliance reports provide information for regulator

Question 12

retention policy

Answer 12

A SIEM can enact this to allow retrospective incident and threat hunting, and can be a valuable source of forensic evidence.

It can also meet compliance requirements to hold archives of security information.

A log rotation scheme can be configured to move outdated information to archive storage.

Question 13

Correlation rules assign a critical level. Examples include:

Answer 13

Log only—an event is produced and added to the SIEM’s database, but it is automatically classified.

Alert—the event is listed on a dashboard or incident handling system for an agent to assess

Alarm—the event is automatically classified as critical, and a priority alarm is raised. This might mean emailing an incident handler or sending a text message.

Question 14

Alert tuning

Answer 14

Adjusting the rate and circumstances alerts are set off. Alert fatigue can weaken defenses as too many alerts come through overwhelming analysts.

You can refine detection rules and mute certain alert levels.

Redirect alert floods to a dedicated group

Deploying machine learning (ML) analysis—ML is able to rapidly analyze the sort of data sets produced by SIEM. It can be used to monitor how analysts are responding to alerts, and attempt to automatically tune the ruleset in a way that reduces false negatives without impacting true positives.

Question 15

network monitor

Answer 15

collects data about network infrastructure appliances, such as switches, access points, routers, firewalls

used to monitor load status for CPU/memory, state tables, disk capacity, fan speeds/temperature, network link utilization/error statistics, and heartbeat to indicate availability

This data might be collected using the Simple Network Management Protocol (SNMP)

Question 16

SNMP trap

Answer 16

informs the management system of a notable event, such as port failure, chassis overheating, power failure, or excessive CPU utilization.

Trap threshold is set individually.

Question 17

flow collector

Answer 17

a means of recording metadata and statistics about network traffic rather than recording each frame

Question 18

Flow analysis tools can help in what ways?

Answer 18

Highlighting of trends and patterns in traffic generated by particular applications, hosts, and ports.

Alerting based on detection of anomalies, flow analysis patterns, or custom triggers.

Visualization tools that show a map of network connections and make interpretation of patterns of traffic and flow data easier.

Identification of traffic patterns revealing rogue user behavior, malware in transit, tunneling, or applications exceeding their allocated bandwidth.

Identification of attempts by malware to contact a handler or command & control (C&C) channel.

Question 19

NetFlow

Answer 19

a Cisco-developed means of reporting network flow information to a structured database.

A particular traffic flow can be defined by packets sharing the same characteristics, referred to as keys

Question 20

What is a flow label?

Answer 20

A selection of keys

is defined by packets that share the same key characteristics, such as IP source and destination addresses and protocol type. These five bits of information are referred to as a 5-tuple. A 7-tuple adds the input interface and IP type of service data.

When a flow expires or becomes inactive, the exporter transmits the data to a collector.

Question 21

What is a flow record?

Answer 21

traffic matching a flow label

Question 22

system monitor

Answer 22

Software that tracks the health of a computer’s subsystems using metrics reported by system hardware or sensors. This provides an alerting service for faults such as high temperature, chassis intrusion, and so on.

Uses SNMP traps

Question 23

Cloud monitors

Answer 23

assess different facets of cloud services, such as network bandwidth, virtual machine status, and application health.

Question 24

antivirus scan (A-V)

Answer 24

better conceived of as endpoint protection platforms (EPPs) or next-gen A-V

Many suites also integrate with user and entity behavior analytics (UEBA) and use AI-backed analysis

Question 25

Data loss prevention (DLP)

Answer 25

mediates the copying of tagged data to restrict it to authorized media and services

Question 26

Security Content Automation Protocol (SCAP)

Answer 26

allows compatible scanners to determine whether a computer meets a configuration baseline

uses several components to accomplish this function:

Question 27

What does SCAP use to determine whether a computer meets baselines?

Answer 27

Open Vulnerability and Assessment Language (OVAL)—an XML schema for describing system security state and querying vulnerability reports and information.

Extensible Configuration Checklist Description Format (XCCDF)—an XML schema for developing and auditing best practice configuration checklists and rules. XCCDF provides a machine-readable format that can be applied and validated using compatible software.